OpenWire Lab

Q1) By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?

Answer: 146.190.21.92

Q2) Initial entry points are critical to trace back the attack vector. What is the port number of the service the adversary exploited?

tcp.flags.syn == 1 && tcp.flags.ack == 0

This will show only the SYN packets that initiate connections.

Answer: 61616

Q3) Following up on the previous question, what is the name of the service found to be vulnerable?

ip.addr == 146.190.21.92 && tcp.port == 61616

Answer: Apache ActiveMQ

Q4) The attacker's infrastructure often involves multiple components. What is the IP of the second C2 server?

ip.src != 146.190.21.92 and ip.dst != 146.190.21.92 

Answer: 128.199.52.72

Q5) Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?

#OR

http.request.method == "GET"

Answer: docker

Q6) What Java class was invoked by the XML file to run the exploit?

Answer: java.lang.ProcessBuilder

Q7) To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?

Answrer: CVE-2023-46604

Q8) To address the vulnerability, the vendor added a validation step, preventing exploitation. In what Java class and method was this validation step added? (Format: Class:Method)

Answer: BaseDataStreamMarshaller.createThrowable